The ability to isolate an endpoint is invaluable when working through the containment phase of incident response. Isolating an endpoint prevents all network communication, with the exception of communication to the Endpoint Detection and Response (EDR)/ Endpoint Protection Platforms (EPP) platform and any configured exclusions.

Endpoint isolation is only available to users with the Responder role.

Isolate an endpoint

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
2. Click Isolate Endpoint. 
3. Read and acknowledge the resulting prompt.

Isolate an endpoint referenced by a threat

1. View the threat using ⌘-K or by clicking Threats and filtering for the threat.
2. At the top of the threat timeline, click Respond.
3. Click Isolate Endpoint. 
4. Read and acknowledge the resulting prompt.

Remove isolation from an endpoint

Once a threat has been remediated, isolation can be removed to return the endpoint to normal operation.

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
2. Click Disable Isolation.
3. Once the endpoint checks in with the server, it will restore normal network operation.

What happens if the endpoint is not online?

You can request isolation of—or remove isolation from—an endpoint that is offline. The request will be queued and executed when the endpoint comes back online and checks in with the EDR/EPP server.

Note: Automated network isolation is the usual use case for isolation. This occurs when the isolation request is queued and executed, and when the endpoint comes back online and checks in with the server. Our Automation section covers this in greater detail.